-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prefer GCM ciphers over CBC #1660
Conversation
@mikemaccana I'd be interested in the output of cc: @indutny @jorangreef |
@silverwind I couldn't find startssl's handshake simulator - do you mean SSL Labs? If so, here they are: https://www.ssllabs.com/ssltest/analyze.html?d=ssltest.certsimple.com&hideResults=on Note in particular:
|
@mikemaccana Err, yes of course, SSLLabs :) |
The suite looks to break several clients like Android 2.3, IE8 and OpenSSL 0.9.8, which is too much breakage for us. Maybe a few more compatibilty ciphers could be included to fix those? Here are results from the current defaults for comparison: https://gist.github.com/silverwind/577571de9e2d375b7155 |
@silverwind oh right! https://gist.github.com/indutny/344b7ebd245068ffd1d6 this is what I use :) Looks like I have overlooked this thing. |
@silverwind Yep, that's the 'high' setting. Moz have an intermediate with greater compatibility, I'll deploy & show you results. |
@mikemaccana best to save the results to gist or similar, like I did. These ssllabs links aren't static after all. |
Results with Moz intermedia settings (still prefers GCM, so fixes |
@mikemaccana the intermediate still fails on the same clients. I think we need a custom suite that both includes
I'd suggest starting at the modern mozilla configuration and add ciphers until all except IE 6 can connect. |
Just rebased to make the compare easier. |
@silverwind Odd, Moz thinks intermediate should work on IE7 upwards: https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29 But I've re-rested (just in case it was user error) and same is occurring: https://gist.github.com/mikemaccana/5e12d4d2b8dcfc87b197 IE7 Vista fine, IE8 XP fails. Wonder what XP they use? Pre SP3 there's no SHA256, so any current cert (that doesn't trigger huge warnings in Chrome) won't work - it could be that. I'll investigate further and report back. |
OK simply adding GCM to top of current ciphers, no errors in Chrome, and everything except IE6: https://gist.github.com/mikemaccana/67b94d06bbdf01c94fa4 |
@mikemaccana these results look good. Lets update the PR and give other collaborators some time for feedback. |
@silverwind Done. Also improved the docs. |
offering *some* backward compatibiltity. | ||
|
||
Old clients that rely on insecure and deprecated RC4 or DES-based ciphers | ||
(like Internet Explorer 6) aren't able to complete the handshake with the default |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wrap those long lines at 80 chars, even if it means moving that link to a new line :)
@silverwind done. |
HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!SRP:!CAMELLIA | ||
DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-SHA256: | ||
DHE-RSA-AES128-SHA256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK: | ||
!SRP:!CAMELLIA' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe put DHE-RSA-AES128-SHA256
on the line above. Docs don't stricly follow 80 chars, and it would more pleasant visually.
Done. Yep, split links work, I was worried about the same thing but I tested it and it worked fine after rendering. |
ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA256: | ||
DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256: | ||
HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!SRP:!CAMELLIA | ||
HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!SRP:!CAMELLIA' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Another nitpick, but I'd not quote these :)
It's a string. Shouldn't it look like a string? |
Strictly speaking, it's not a true string (not counting template string) because of the newlines, so I'd not add the quotes. |
'ECDHE-ECDSA-AES256-GCM-SHA384', | ||
'DHE-RSA-AES128-GCM-SHA256', | ||
'DHE-DSS-AES128-GCM-SHA256', | ||
'kEDH+AESGCM', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Mmm... is this one necessary? I'm really afraid of this things... And in fact it only does:
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES128-GCM-SHA256
May I ask you to replace it with these ones?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hrm, I thought Chrome only did GCM with 128 bit ciphers (still considered more secure than 256 bit AES with CBC). Let me find a reference...
OK, that's not what I was thinking of: a 128 bit GCM is preferred over 256 bit with CBC, but that's all: https://wiki.mozilla.org/Security/Server_Side_TLS#Prioritization_logic
I'll try 256 bit with GCM and re-test...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Re: 'is this one necessary?'
Do you mean the whole six lines with the GCM ciphers? Yes, that's necessary. Most things which don't explicitly have GCM in the name are CBC. You can prove this and convert the custom names OpenSSL uses to the ones Chrome and SSL Labs use (which mention CBC explicitly) here: https://www.openssl.org/docs/apps/ciphers.html
When you say 'And in fact it only does:'
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES128-GCM-SHA256
That's not true - see https://gist.github.com/mikemaccana/67b94d06bbdf01c94fa4, most of the time the ephemeral (ECDHE) version is used.
PS. Sorry if I've misunderstood something.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Isn't @indutny talking about kEDH+AESGCM
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure. @indutny?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
kEDH+AESGCM doesn't even seem implemented on default build of OpenSSL 1.0.1e-fips
@indutny if you meant we should get rid of kEDH+AESGCM
I'd agree.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I was talking about kEDH+AESGCM
and it is implemented in ciphers that I initially listed ;)
Ack @silverwind, I normally avoid fixed-width and just use a string, but if we're wrapping at 80 then I guess it's not. Amended. |
Alright, docs are good from my point of view. Leaving the added ciphers up for discussion. Also cc: @shigeki |
Left some comments. |
Would you like me to rebase so it looks like a single commit? I'm happy either way. |
Please keep it as it is for now :) |
LGTM! |
Thank you :) |
Deployed and re-ran test with new ciphers: Same as before obviously (the ciphers we removed weren't in use), but always good to check. |
'ECDHE-ECDSA-AES128-GCM-SHA256', | ||
'ECDHE-RSA-AES256-GCM-SHA384', | ||
'ECDHE-ECDSA-AES256-GCM-SHA384', | ||
'DHE-RSA-AES128-GCM-SHA256', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The ordering doesn't look right to me. It should be strongest to weakest. I think something like this could do:
'ECDHE-ECDSA-AES256-GCM-SHA384',
'ECDHE-RSA-AES256-GCM-SHA384',
'ECDHE-ECDSA-AES128-GCM-SHA256',
'ECDHE-RSA-AES128-GCM-SHA256',
'DHE-RSA-AES128-GCM-SHA256',
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah that's another bit of Mozilla logic. I'll quote them, tell me your thoughts...
AES 128 is preferred to AES 256. There has been [discussions] on whether AES256 extra security was worth the cost, and the result is far from obvious. At the moment, AES128 is preferred, because it provides good security, is really fast, and seems to be more resistant to timing attacks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IIRC there are actually some attacks that affect 256 bit AES but not 128 bit. Let me find a reference.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, I'd probably trust Mozilla engineers to make the right choice here, as I never perfed ciphers.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For what it's worth Schneier: 'And for new applications I suggest that people don't use AES-256. AES-128 provides more than enough security margin for the forseeable future. But if you're already using AES-256, there's no reason to change. '
https://www.schneier.com/blog/archives/2009/07/another_new_aes.html
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My own thoughts: either way we should be consistent. The subsequent ciphers are bit length first. If we do re-order to avoid the AES256 related key attacks we should do that consistently, and re-order the old ones as well as the new ones. Maybe that's for another PR?
No probs! |
Alright, I'm convinced it's better to leave the ordering as-is. LGTM |
OK, but we still need to be consistent: if we're avoiding the attacks against apply to 192 and 256 bit AES, we should do it everywhere, including in existing ciphers. I've updated the branch to reflect that and also add the rationale to the docs. |
!MD5: | ||
!PSK: | ||
!SRP: | ||
!CAMELLIA: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, not sure how I feel about this. It's nice to have these laid out, but takes up a lot of vertical space. Most people don't care that much about ciphers, I think. Care to restore the old format?
Also: Trailing colon.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see what you're saying, but since it's in order, being able to parse top-to-bottom really helps people interested in node/io's default ciphers. If they don't care they can just scroll past. What do you think?
Will fix trailing colon.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It helps interested people to understand, so that's a plus. The extra vertical space is a bit disturbing, but that's just bikeshedding now on my side.
So, overall still LGTM. @indutny you fine with the latest AES128 reordering? |
@mikemaccana please show one more result table with the current list. |
LGTM |
LGTM and let AES128 be first for several years from now. I always refer https://tools.ietf.org/html/rfc7525 for TLS parameters. |
Tested the ciphers myself, looking good. @mikemaccana please squash the commits, add a description and make sure the commit message follows the guidline here. |
@silverwind ack will squash shortly. Will also paste handshake results - was past midnight here when I made last post. |
AES-GCM or CHACHA20_POLY1305 ciphers must be used in current version of Chrome to avoid an 'obsolete cryptography' warning. Prefer 128 bit AES over 192 and 256 bit AES considering attacks that specifically affect the larger key sizes but do not affect AES 128.
Rebase and modified commit message per guidelines - hope it's OK. |
AES-GCM or CHACHA20_POLY1305 ciphers must be used in current version of Chrome to avoid an 'obsolete cryptography' warning. Prefer 128 bit AES over 192 and 256 bit AES considering attacks that specifically affect the larger key sizes but do not affect AES 128. PR-URL: #1660 Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]> Reviewed-By: Roman Reiss <[email protected]>
Thanks Mike. Landed in 5755fc0. Your commit title was exceeding 50 chars, so I reworded it. |
😀🙏👍 |
PR-URL: nodejs#1679 Notable Changes: * win,node-gyp: the delay-load hook for windows addons has now been correctly enabled by default, it had wrongly defaulted to off in the release version of 2.0.0 (Bert Belder) nodejs#1433 * os: tmpdir()'s trailing slash stripping has been refined to fix an issue when the temp directory is at '/'. Also considers which slash is used by the operating system. (cjihrig) nodejs#1673 * tls: default ciphers have been updated to use gcm and aes128 (Mike MacCana) nodejs#1660 * build: v8 snapshots have been re-enabled by default as suggested by the v8 team, since prior security issues have been resolved. This should give some perf improvements to both startup and vm context creation. (Trevor Norris) nodejs#1663 * src: fixed preload modules not working when other flags were used before --require (Yosuke Furukawa) nodejs#1694 * dgram: fixed send()'s callback not being asynchronous (Yosuke Furukawa) nodejs#1313 * readline: emitKeys now keeps buffering data until it has enough to parse. This fixes an issue with parsing split escapes. (Alex Kocharin) * cluster: works now properly emit 'disconnect' to cluser.worker (Oleg Elifantiev) nodejs#1386 events: uncaught errors now provide some context (Evan Lucas) nodejs#1654
AES-GCM or CHACHA20_POLY1305 ciphers must be used in current version of Chrome to avoid an 'obsolete cryptography' warning. Prefer 128 bit AES over 192 and 256 bit AES considering attacks that specifically affect the larger key sizes but do not affect AES 128. PR-URL: nodejs#1660 Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]> Reviewed-By: Roman Reiss <[email protected]>
AES-GCM
orCHACHA20_POLY1305
ciphers must be used in current version of Chrome to avoid an 'obsolete cryptography' warning. See http://www.chromium.org/Home/chromium-security/education/tls#TOC-Deprecation-of-TLS-Features-Algorithms-in-ChromeThis list comes from the Mozilla Server Side TLS project https://github.com/mozilla/server-side-tls